These processes include a requirement that notifications to impacted customers be communicated with 24 hours when they may involve our customer’s personal data. Meeting this requirement enables our customers to investigate and make the appropriate data breach notifications to regulators within the 72 hour timescale found in GDPR.

Plan and Prepare

Lanetix has identified internal personnel involved in incident management, including those involved in:

Detect and Report

Lanetix, together with our infrastructure vendors, has set up a monitoring systems to detect current threats, via internal or external sources, and analyse them on a case-by-case basis.

Lanetix, together with our infrastructure vendors, has set up detection devices to alert us to any abnormal, suspicious, and malicious activities, as well as to specifically defined “security events.”

Assess and Decide

After evaluating the information detected and reported on, Lanetix determines whether the particular event rises to the level of an incident, and whether notification of competent authorities or individuals is required under law.

Lanetix documents the incident in an internal registry with facts about the violation, its effects and remediation measures taken.

Resolve and notify

Lanetix must deal with the incident by:

Identifying and implementing measures to reduce its effects; and

Notifying competent authorities.

Lanetix must use available notification forms provided by competent authorities, such as:

breach notification forms

security incident forms

Lessons Learned

Lanetix must identify deficiencies and correct them, to reduce the risk of recurrence.

Lanetix must review any and all identified risks and update data protection impact assessments accordingly.